Automating Credential Stuffing
Updates the credential stuffing code to test multiple different username and password combinations against the login page.
Introduction to automatic credential stuffing
Credential stuffing is a common attack technique because it is an easily automated attack vector. A fully automated credential-stuffing attack requires three things:
A means of submitting login credentials to the target system
The ability to tell whether or not a login attempt succeeded
A list of usernames and passwords to try on the site
We’ve implemented the first two items on this list, attempting to log into a site with a single username and password. Now, we’ll work on completing the automated attack by updating the script to make multiple attempts with a list of usernames and passwords.
Creating a credential dictionary
An important first step when building a credential stuffer is defining a dictionary of usernames and passwords to try in the attack. A credential dictionary can come from a few different sources, including the following:
Common password lists
Breached credentials
Random password generation
Numerous lists of credentials are available on the internet for download; some are built into existing tools, and tools exist to automatically generate tailored lists. In this lesson, we’ll use a small list containing some common, simple usernames and passwords.
Automating the credential-stuffing attack
Previously, we’ve implemented a simple credential stuffer that performs a single username/password check and automatically checks the result. The next step is to update the code to try multiple usernames and passwords until a correct combination is found.
The following code block shows how the existing credential stuffer, using the requests
library, can be updated to perform multiple lookups.
Get hands-on with 1200+ tech skills courses.